Native Vita Hacking: What’s the situation so far? (Part 2)
The other day I briefly touched upon the idea of using webkit as an entry point into native hacking, but I mention the actual current state of webkit’s development, so I’m gonna use this post exactly for that.
But it’s not gonna be me who will talk about it, I’m gonna handle it to a team member that’s been a strong pillar in our quest for native vita code execution. His name is CodeLion, known as bballing1 in /talk.
CodeLion has never been a big name within this scene, but he has been a member of the team for quite a while, and after dealing with life for a while, he came back a few months ago motivated enough to start development on webkit exploits. Soon enough, he found an entry point and has been developing it for a while.
Sadly, we found out (don’t ask us how) that Sony will updating webkit to a version that is invulnerable to our exploit, which means it will not be usable in later firmwares. CodeLion’s post will be mostly targeted to those with enough knowledge who are interesting in helping the cause so you can know where we’re at and what is needed.
Here’s CodeLion’s part of the post:
Hey everyone
Shortly ago Acid_Snake posted about the state of the Vita scene, calling to the forefront yifan’s recommendations to go after webkit.
Well you may all be in for some good news. Around July of this year, I returned to the scene after a while’s absence and decided to dedicate myself to webkit. I founded a new team dedicated solely to hacking the native side of the vita, codenamed Project Mayhem and eventually named “team mayh3m.”
Over a period of 3 months we have been able to get nearly all the way through the process of exploiting webkit. The purpose of this post is to encourage you not to update to 3.20 if you desire to work with webkit, as well as to bring other developers up to speed in terms of where we are in the exploiting process. I will not be covering the basics of ASLR, DEP, ROP, or other security concepts in this paper. If you need to learn those you will want to study the “useful links” section.
The following link gives you a good idea of the difficulty and ease of exploiting webkit:
https://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up—webkit-exploit/
Unfortunately the vita is not vulnerable to that exploit, however, I was able to find several other exploitable bugs in the vita webkit source. We currently have the ability to execute a single ARM instruction, 0xE7FE, which is equivilent to “while (1) {}”. This is a classic proof of code execution as it causes the program to hang without crashing. It hangs in a very “clean” way as it were. I will be releasing the exploits required to get to that point as soon as Sony patches them. A patch is anticipated in 3.20 as it looks as if sony is going to be pushing for parity with the browser on the playstation 4.
We also have the ability to dump the ram of the browser process. This is approximately equivalent to psplink’s savemem function. We are currently slightly stymied by ASLR, but expect to have full dumps of the process memory very soon.
The two exploits can be combined to begin a ROP chain to bypass aslr and dep. In theory, unsigned code running on the vita in usermode is only a few steps away.
I’ve got a collection of links and information below for you. The workflow should be as follows:
Search through CVE reports and bugtracker information for various webkit ports and find exploits that look promising (and have been patched in the latest version)
Look at the changelog to determine how the code has been changed to patch the exploit
Check if sony’s webkit source has been patched for the exploit
Download or create a test for the exploit and run it on the vita
If you get a reload loop (the vita browser will turn grey and say “please wait”) the browser is vulnerable to that exploit!
Now go figure out how to exploit it! I’m not gonna give you everything haha…
What you will need to help with the vita exploiting process:
SceWebkit source: http://www.scei.co.jp/psvita-license/webkit.html
Apache Server: http://www.wampserver.com/en/
A vita: http://www.amazon.com/PlayStation-Vita-Wifi/dp/B003O6EATE/ref=sr_1_2?ie=UTF8&qid=1411330952&sr=8-2&keywords=vita
What I recommend for working with webkit:
NotePad++
VMWare or equivalent running Ubuntu 11.04
Some Useful Links:
https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html
Some very useful links:
https://bugs.webkit.org/
http://www.exploit-db.com/
https://cve.mitre.org/index.html
What you are expected to know:
Have a decent understanding of c++ syntax
Have a decent understanding of modern exploit mitigation techniques (DEP, ASLR, etc)
Have a strong understanding of computer science and security in general
So in summary, the vita exploiting workflow is not all that much more complicated than the PSP exploiting workflow, except instead of trying lots of PSP games for crashes, you are trying lots of HTML files.
A release is imminent with an HTML file capable of dumping the Webkit process memory
A release is coming within the next months capable of running unsigned code through ROP chain
Future steps include a compiler to ROP, allowing any ordinary developer compile code for the native vita. Thats right, some day quite soon, anyone will be able to compile a hello world for the native vita.
Happy Hacking!
CodeLion
For the end user this means that there’s a few things that need to be done to get homebrews working: a ROP compiler, an SDK and enough homebrew developers interested in coding homebrews that take advantage of what the exploit has to offer. Fortunately those things are easy to do (and we are in the process of doing it: we have people working on ROP and codestation and I are working on the SDK), except for the homebrew developers part.
But there’s one more thing to overcome: NID poisoning. But I will leave that for the next post.
If Im reading correctly, Yifan Lu is saying that the browser is an entry point in which will not be needed later after control has been obtained… Point is that there will be a possible ability to update later after the nessecary files are installed…. Then the ban hammer comes down. :-> Just saying that the better web browser will still be available later along with remote play…. Kinda like the ps3…. Much more complicated with the cma *** and more robust security measures…. But if this pans out, thats where I see it headed.
What yifanlu is saying is something I will be saying in later posts.
Wekbit is not at all the pinnacle of it, it only allows for ROP code to be executed. With a good ROP compiler and memory dump analyzer you can do some homebrews, but the amount of imports available are more limited, so we can’t just stop here, we gotta aim higher. Of course there could be a lot of time lapsed between now and getting a (much better) VSH exploit (more imports) and Sony is already going to update webkit to a version without our exploit, so we might as well make it public and give away some sort of SDK to allow for homebrews to be developed to a certain degree while we keep trying to gain better code execution.
BTW… Ive posted drunk comments on here befor and having reread some of my own, I have to ask: You were driking a lil when you put this togather wernt you, Acid_Snake?
Normally I would say yes, I drink a shitton, but no I wasn’t drinking when writing these articles.
Sorry for the acusation… I was hoping to peg ya. :->
Hahahaha“y asà Master of Puppets comienza con sus complejÃsimos acordes de guitarra… haciéndola dificilÃsimo seguir si eres amateur”Hahahaha se nota qe no sabes nada, es demasiado facil master of puppets y tu hablas del intro… aun mas facil, yo la tocaba cuando recien empeze en la guitarra hahaha
Hi Virginia, It’s always great to see your name pop up here. (For most of my readers who probably don’t know, Virginia attended the same church as we did during Sarah’s cancer treatment and since she is a nurse, she volunteered to come over a couple times a week to change the dressing on Sarah’s central line. It was a traumatic experience for all involved because Sarah’s skin was so sensitive that taking off the dressing required a lot of time and patient efforts accompanied by Sarah screeching at the top of her lungs. Virginia is a Very Special Woman in our book!)
Haha. I woke up down today. You’ve cheered me up!
How does one email or contact someone from Youtube when their are certain ERRORS with their page?? This is becoming quite frustrating and annoying. You know, for a pretty famous and popular site, the Customer Service and ability to contact for Tech help is horrible. I really wish someone would respond to an email or contact me back. Thanks.
When this comes out we can steal and download any game we want? Wow, this is the best news ever!!!!! You guys need to hurry up I’ve got a lot of downloading to do. Go Pirates!!!!
ha, going on SAFARI is fun! even on the vita 😛
spawn just install a pkg that installs unsigned pkg’s.
SAFARIs are fun! Even on the Vita, but you won’t be able to execute unsigned code there 😛
Future Vita homebrew developer standing by.
Pong clones for everybody!
I’m hoping that this eventually leads to Vita CFW that allows for external HDD support on the Vita TV/PS TV. That minor bit of functionality would do wonders for its viability.
The feature that I’m waiting for is to dump all of my vita games, I have about 15 carts(and counting) and it’s very inconvenient swapping ’em once in a while.. And it’s better if just seal those carts forever to preserve them..
I have a question, and ask for clarification, so not say things like “you are crazy” etc LOL
Question is: so Vita can handle a ps2 emulator, but can run Ps2 classic or converted ps2 classic like ps3? How work this PS2 Classic? Why need conversion? In the emulators, game not need a conversion, right, so ps2 classic on ps3 are not a emulator. A people on gamefaqs say that ps2 classic are only optimization of ps2 game that allows them to run on ps3, and so he said that way may can also work for psvita: not emulator, but conversion/optimization of ps2 games to allow to run on psvita. Is really possible? I know that for certain answers, we need first a native hack and all ps vita potential, but in theory? Can work?
Actually, PS2 classics on the PS3 ARE emulated. If you, on the regular slim PS3, have a hacked firmware, you can find proof of it yourself. You can even use it, similar to the PSP POPs system. By that I mean you can use PS2 games and “convert them” into PS2 classics to play on your PS3. I wont entertain, just search it up, it’s a popular method. The ties into the next point of your post, you were saying how they are released with patches to even run? The problem with converting to PS2 classics on a hacked PS3 is that not a lot of games are compatible, so yes, you’re right. Of course fully accurate software emulation would be very tough to accomplish on the PS2 even nowadays. Look at PCSX2. Great emulator, but there are some crippling visual bugs on games like SOTC, MGS3, R&C, SH, etc, and they likely won’t be fixed for awhile. However what Sony can do is “patch” the game so the PS3 software emulator interprets it differently, basically hacking it. Sometimes these hacks give it a cheap and noticeable difference, though it seems the more popular games do not have this problem. That’s why not all PS2 games are released as PS3 classics, it requires work from the Sony side to get them to work.
Also the conversion/optimization thing you’re talking about is literally porting. Taking the master code of one game and rewriting it on a different system using their architecture and devkits. Then the question begins: Can you really play PS2 games on the Vita? Well, can you? Vita, with the nearly free and modern intuitive devkits? Respected amongst lots of devs throughout the entire video game community? Whereas the PS2 devkits were commonly shunned for being extremely hard to use (classic example – Resident Evil 4)? While the PS2 has a max CPU clock of 250mhz, and GPU of 150mhz, while the Vita has a quadcore arm-based chip with a maximum clock of 2ghz? It’s no doubt the Vita is more powerful than the PS2 and thus can handle games of similar and better quality. It just depends on how well the developers want to optimize the game. But to answer your question, no, there is no way to “convert” code to a different architectures. Only run a program to interpret the code, which requires access to run unsigned code. A PSV might be able to emulate some simplistic looking PS2 games, but that depends on if someone is willing to go through the trouble to optimize a PS2 emulator for the PSV. I mean I guess PCSX2 is open source so that might work, but enjoy only playing some sprite-based games I’m guessing.
Thanx for your answer. So, also not with fully compatibility, you really think that PSV can run a ps2 emulator
It can run a PS2 emulator no doubt. Wherever you have access to write and launch code, you can code anything you want on it. But it would really depend on which games you are playing, as I don’t see the Vita running most 3D PS2 titles, I don’t think it has enough power. I can imagine some sprite-based games would work fine, like Mana Khemia, GrimGrimoire, Odin Sphere, and Disgaea but that’s only if it is a well-coded emulator, and beyond that, don’t expect nice 3d titles like SOTC, GoW, R&C, etc.
Sony likely has more knowledge on how to make a PS2 emulator run decently with some edits, it’s just that of course they’re not going to spend a lot of time on it as there’s not much money to be made with it. Look at Fatal Frame, the PS2 classic version on PS3 and the PS2 version on PCSX2. The PS2 classic version runs well, whereas on PCSX2 the game has a lot of bugs that are mostly fixed by changing to software mode (which makes it very difficult to play). Our best bet for PS2 games on the PSVita is for Sony to do their magic but I doubt they’re ever going to ever put actual effort into it.
Honestly, count for a functional N64 emulator before a PS2 emulator, N64 seems a lot more reasonable. God I can’t wait for the native hacks to come out just for the emulators. Anyone else really wanting a DS emulator? You could put the screens side to side, plus the Vita has touch controls just like the DS. I really hate Nintendo hardware so I can’t bring myself to play a lot of games that otherwise seem cool, like 999, Ghost Trick, TWEWY, etc.
Yeah, a full N64 emulator will be grat too. Maybe also Dreamcast. Also if my dream is a ps2/xbox/gamecube games on portable XD With Vita CFW i hope also for some amazing plugins like CWcheat and macrofire, very useful. So, according to you, a ps2 emulator on Vita can’t run also a not “heavy” game like POP The Sands of Time or Teenage Mutant Ninja Turtles? XD
That is so awesome! I have been wanting something like that since I was about 7-8 months pregnant for E's room — something with softer more diffuse light! It's all too pricey though. I am definitely doing this!
You got a good vision. Thanks for sharing.If we take into account that Google has has all the money they need and they can hire the smartest people in the world, the question remains:What would they do to display better results?
After reading your post, it seems there are really only two types of furniture. 1 & 4 are generational. 2 & 3 are destined for the landfill. Let’s hope we can inspire and educate makers and buyers to choose 1 & 4. Thanks, Kirk
The main feature I’m waiting for is to never pay for any vita games and just pirate them all for free. Whoo hoo, we all can’t wait, soon enough it will be here.
Dude why such troll?
I think like him.
@Tom : Worst comment ever …
Tom has the right idea, we need as soon as possible so we can start stealing.
I’ll gladly pay for games. I just want to be able to Edit my save game data!!
Hi! This is kind of off topic but I need some advice from an established blog. Is it tough to set up your own blog? I’m not very techincal but I can figure things out pretty fast. I’m thinking about creating my own but I’m not sure where to begin. Do you have any tips or suggestions? Cheers
Coooooool, quite a good article for those having some understanding of CS and programming. Google is patching chrome and rewarding hackers for a securer browser, but Sony does not. One day Sony will pay for their laziness, watching us playing dumped games.
you dont crack for the community, but for your own kind of challenge…
and the privilege to laugh sony right at its face
I’ll have a vita exploit by the middle of october, with dumping of memory and all that good stuff.
It is now 2015. *** detected.
Well, found one that works on the Vita browser (loop please wait), not sure if its exploitable yet though.
can somebody help me out to find a GBA_Bios file for the new 3.18 firmwire (U O gpSP) please
Google it
http://migre.me/o4NEc
I have dozens of purchased vita games through PSN and I fully support this. Why? Not because of the free games. It’s called getting the most out of your hardware. Not through free games, but bypassing all the friggin restrictions Sony put on their amazing device. When it came out it had amazing power under the hood(i think it still does compared to other handhelds). And what does Sony do? For the fat Vita, they didn’t include TV out(not sure if it’s an option for the new Vita). They put in an absolutely crude and ridiculous OS. No PDF reader, and I don’t want to fuss with that browser workaround. These and a whole lot more things.
When I buy a hammer, the makers of that hammer should have NO *** SAY on how I use it. If I want to use it as a paperweight, they have no business to tell me I can’t. And that’s what I want for my Vita. Not as a paperweight, but to do everything that the hardware included SHOULD allow me to use it for.
Zsuzsikám! Fantasztikus vagy! Annyira szépek! Te álmodban találod ki ezeket, vagy egész nap ezen agyalsz? Nem tudom hogyan csinálod, de hagyd abba. Bár egyszerre melengeted és fájdÃtod a szÃvem! Én is akarok ilyet……
Hi Sherry! Thanks for visiting and commenting (and for the compliments !) I think the pesto you have on hand would work just fine! Better to clear out that freezer! If you try it, do let me know how it turns out for you.
I feel for Timbers bloggers because – at this point – what’s left to say about this aggregation of players and their coaches? Maybe the innate randomness of sport will allow something good to happen tomorrow. But the chance of anyone we’ve watched all summer doing something transcendent and out of charactor (in a good sense) is a number extremely close to zero.Of course, I’ll be watching anyway – cause that’s how I roll…
psn brenoaugttt@live.com senha brenoaug0
Det gillar jag! Det finsn sÃ¥ mycket fint runt omkring oss. Med kameran i högsta hugg skapas möjligheter. Och delar du med dig pÃ¥ bloggen fÃ¥r vi ocksÃ¥ njuta av allt det vackra du ser. 🙂
Not just that most of the games and accessories on the vita are a rip off- $70-80 for a single game in my country
This is why piracy exists and will continue to do so until the creators realise consumers are not fools,we know that charging so much for a $30 (US price) is a big no go
That’s why I do not fully support anti-piracy
I do purchase and support devs and companies who deserve it and arent asking undeserving rates based on country
I’m a dev myself and I know its tough to make money but its no reason to overcharge and loot consumers based on country
iTunes is a good example – $2 for a movie while some other companies want $15 which is bs, In a case like this i will buy the iTunes one instead of buying the $15 and avoid piracy because $2 is a fair deal
The forum is a bregthir place thanks to your posts. Thanks!
first of all, I love you. second, who said that you can only wear 1 outfit for your engagement pictures?!?!?! You can have several outfit changes and I strongly recommend it. so there problem solved
Sanja GajicHej :)Rigtig godt tiltag. Min søster og jeg plejede før i tiden at være ret tætte og se hinanden ofte. Vi har desværre ikke set hinanden i noget tid som før, da vi begge har haft travlt med studie og arbejde. Derfor vil jeg rigtig gerne overraske hende pÃ¥ lørdag, sÃ¥ vi kan fÃ¥ en aften som i de gode gamle dage! 😀
I’ll have something out at the end of Sept where you can use your own store bought memory card and native vita downloads.
Don’t steal people’s identity..
While I do not condone piracy, I agree with a comment made. If I did pick it up correct.
Why doesn’t a Dev, try do for the vita, what Saurik does for iOS? Then we would be paying all Devs
An sc*** over apple. Obv, I do not mean try JB, I mean little things from releasing ps1 loaders to
a range of other things. Just my 2p worth guys. 🙂 Let’s not bombard the n00b with insults now.
I was looking to install my old psp games on my vita this weekend. looks like it aint happening, 3.30 just got released. just wow
whoah this blog is magnificent i love reading your posts. Stay up the great paintings! You already know, a lot of individuals are hunting around for this information, you could help them greatly.
Hi Nadita… Thanks for sharing a nice post… actually what I am looking for is to understand the exact concept of alexa rating… Actually I started my blog on 5th August 2012 just a couple of weeks ago at the time I registerd my blog domain my alexa rank was (No Rank) and Now just in 30 Days My alexa rank is 982,362 and My Country rank is showing from Malaysia… So I want to know that how is it possible that the traffic I am getting more is from US so why the rank is higher in Malaysia?Abuzar recently posted..
Felicitaciones por la nueva pagina! Les quedo muy bonitaCuando vi estas fotos del adelanto de la coleccion la encontre muy atrevida pero me gustó mucho, Charlotte Free siempre tan linda con ese pelo envidiable.Un beso! Pamela.
That’s an expert answer to an interesting question
I’m impressed. You’ve really raised the bar with that.
Hello… If i wanted to learn hacking vita from the basics where would be a good point for me to start?
This is very attention-grabbing, You are a very professional blogger.
I have joined yohr feed and look forward to looking for
mofe of your wonderful post. Additionally, I’ve shared your website in my social networks